On Tue, 29 Aug 2006, Lisa Muir wrote:
> material, most from the BSD world, making statements about pf being
> much better than iptables because of stateful inspection etc.
Arg.
Stateful firewalling is *stupid*. To have state as a goal is *brain
dead*. We need a campaign to drum this into people heads, as has been
done for "NAT is evil".
Filtering TCP requires 0 state. Bear this in mind when you hear
insanely mental people harp on about firewall-state-syncing solutions
which can *never* work 100% reliably.
And let's say nothing about some of the *incredibly* dumb firewalls
which can not be restarted without breaking ongoing TCP connections
due to being so stupid as to try validate window sizes (hallo some
BSD ipfilter - FreeBSD possibly).
"Stateful filtering of TCP is evil"
(and yes, I *did* have to deal with connectivity problems due to dumb
firewalling yet *again* today. There ought to be a requirement to
force people to obtain a certificate in:
"Path MTU discovery, and the role of ICMP in it."-ology
from the Online University of IP before anyone is allowed to go near
a firewall).
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
Fry: What's with the eye?
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
